The NIS2 Directive moved from a future concern to an active enforcement reality across the European Union. National regulators have started issuing penalties, supply chain audits are intensifying, and B2B buyers now ask their vendors for NIS2 evidence before signing. If your company sells, builds, hosts, or processes data for organizations in essential or important sectors, NIS2 affects you whether you are directly in scope or not. This checklist walks through what compliance actually looks like in 2026.
Who Is in Scope
NIS2 applies to medium and large entities in 18 sectors classified as essential or important. Essential sectors include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and ICT service management. Important sectors include postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Many B2B technology vendors fall under digital infrastructure or ICT service management even when they would not consider themselves critical.
Even if you are not directly in scope, your customers in scope must manage their supply chain risk, so they will push obligations to you contractually.
The Governance Layer
Start with governance because regulators look at it first:
- ▸Management board accountability documented in formal policy with named responsible officers
- ▸Risk management framework that explicitly covers cybersecurity, not just generic enterprise risk
- ▸Annual security training for management board members with attendance records
- ▸Incident response policy approved by the board and reviewed at least yearly
- ▸Supplier risk policy that requires due diligence and contractual security obligations
Auditors check these documents first. Missing governance evidence is the fastest way to fail an inspection.
The Technical Controls
NIS2 requires proportionate technical measures across ten categories:
- ▸Risk analysis and information system security policies that map threats to controls
- ▸Incident handling including detection, response, and recovery
- ▸Business continuity with backups, disaster recovery, and crisis management
- ▸Supply chain security including third party risk management
- ▸Security in network and information systems acquisition, development, and maintenance
- ▸Policies to assess effectiveness of cybersecurity risk management measures
- ▸Basic cyber hygiene practices and cybersecurity training for staff
- ▸Cryptography and encryption policies including where and how they are applied
- ▸Human resources security, access control policies, and asset management
- ▸Multi-factor authentication, secured voice and video, and emergency communications
These categories are deliberately broad. Document how each maps to your actual controls.
Incident Reporting Timelines
NIS2 imposes strict incident reporting timelines that catch many organizations off guard:
- ▸Early warning within 24 hours of becoming aware of a significant incident
- ▸Incident notification within 72 hours with initial assessment and severity
- ▸Final report within one month with root cause and mitigation
Build the runbook now. Test it through tabletop exercises. The 24 hour window will arrive at the worst possible moment.
The Supply Chain Squeeze
NIS2 explicitly requires entities to manage supplier cybersecurity risk. In practice this means:
- ▸Security questionnaires before signing new vendors
- ▸Right to audit clauses in contracts
- ▸Incident notification requirements pushed down to suppliers
- ▸Evidence requests during procurement and renewal
- ▸Concentration risk assessments for critical dependencies
B2B vendors that cannot answer these questionnaires lose deals. Get ahead of this by publishing a security trust center with current certifications, SOC 2 reports, penetration test summaries, and a clear NIS2 statement.
Documentation Beats Tooling
A common mistake is buying tools without documenting policies. Regulators want to see decisions and accountability, not just technology. Maintain:
- ▸Policy register with version history and approval records
- ▸Asset inventory including data, systems, and suppliers
- ▸Risk register with treatment decisions
- ▸Incident log with timeline and resolution
- ▸Training records for staff and management
- ▸Audit trail of changes to systems and configurations
These documents are what an inspector asks for. Have them ready in a secure shared drive that the security team controls.
Common Gaps to Close First
If you are starting from a low baseline, prioritize:
- ▸MFA on all admin and remote access without exception
- ▸Asset inventory with ownership for every system and dataset
- ▸Patch management process with documented cadence and exceptions
- ▸Backup verification with regular restore tests
- ▸Centralized logging for at least identity, network edge, and critical applications
- ▸Tabletop incident exercise at least annually with management participation
These are the controls regulators check first when they suspect a problem.
Plan for the Next Wave
NIS2 is not the end. Sector specific regulations like DORA for financial services, the Cyber Resilience Act for product vendors, and the AI Act for high risk AI systems are all stacking up. The organizations that build a strong compliance foundation now will be able to add new requirements incrementally. The organizations that treated NIS2 as a one off scramble will be doing the same scramble again next year. Treat compliance as a continuous program, not a project, and the next regulation will be a small adjustment rather than a crisis.